[mythtv-users] ssh attack

Robert Kulagowski bob at smalltime.com
Fri Dec 30 00:02:18 EST 2005


>>This of course won't happen behind a properly configured firewall, correct?
>>
>>Darren Hart wrote:
>>
>>
>>>I'm sure nobody here is dumb enough to do this, but since I was,
>>>thought I'd pass the word.
>>>
>>>There is an ssh attack going around with a brute force login using
>>>2187 different username/password pairs, one such pair happens to be:
>>>
>>>mythtv:mythtv

If you need to use ssh from outside your firewall, you could do what
I've done; get rid of a password-based logon alltogether and use public
/ private keys.

Since I use putty at work, it's what I'm familiar with.  In a Windows
environment:

1) Download putty, puttygen and pageant from
http://www.chiark.greenend.org.uk/~sgtatham/putty/

2) Run puttygen to generate a public / private keypair.
3) Take the public key portion (it's just text) and paste it into
~/.ssh/authorized_keys
4) Edit /etc/pam.d/ssh and look for the line:
# Standard Un*x authentication.
@include common-auth

Put a "#" infront of @include common-auth so that it's:
#@include common-auth

This will restrict ssh from looking at /etc/passwd and /etc/shadow
5) Create a passphrase for the key that you just created.  Take the
private key that puttygen created for you and save it.  You'll need it
_every_ time you login from that point on, even internally.  If you're
using putty, you'll need to provide the filename in connection > ssh >
auth when you're setting up your connection profile.
6) If you don't want to keep typing your passphrase every time, load the
private key into pageant; you type it in once, and then if you use putty
to login, pageant will supply the passphrase automatically.


More information about the mythtv-users mailing list